<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta content="Cask Data, Inc." name="author" />
<meta content="Copyright © 2016-2017 Cask Data, Inc." name="copyright" />


    <meta name="git_release" content="6.1.1">
    <meta name="git_hash" content="05fbac36f9f7aadeb44f5728cea35136dbc243e5">
    <meta name="git_timestamp" content="2020-02-09 08:22:47 +0800">
    <title>Secure Storage</title>

    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap-theme.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/bootstrap-sphinx.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-dynamicscrollspy-4.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/abixTreeList-2.css" type="text/css" />
    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />

    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '',
        VERSION:     '6.1.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  false
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>

    <link rel="shortcut icon" href="../_static/favicon.ico"/>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="top" title="Cask Data Application Platform 6.1.1 Documentation" href="../index.html" />
    <link rel="up" title="Security" href="index.html" />
    <link rel="next" title="Operations" href="../operations/index.html" />
    <link rel="prev" title="Enabling SSL for System Services" href="system-services.html" />
    <!-- block extrahead -->
    <meta charset='utf-8'>
    <meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
    <meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
    <meta name="apple-mobile-web-app-capable" content="yes">
    <!-- block extrahead end -->

</head>
<body role="document">

<!-- block navbar -->
<div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top">
    <div class="container-fluid">
      <div class="row">
        <div class="navbar-header">
          <!-- .btn-navbar is used as the toggle for collapsed navbar content -->
          <a class="navbar-brand" href="../table-of-contents/../../index.html">
            <span><img alt="CDAP logo" src="../_static/cdap_logo.svg"/></span>
          </a>

          <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>

          <div class="pull-right">
            <div class="dropdown version-dropdown">
              <a href="#" class="dropdown-toggle" data-toggle="dropdown"
                role="button" aria-haspopup="true" aria-expanded="false">
                v 6.1.1 <span class="caret"></span>
              </a>
              <ul class="dropdown-menu">
                <li><a href="//docs.cdap.io/cdap/5.1.2/en/index.html">v 5.1.2</a></li>
                <li><a href="//docs.cdap.io/cdap/4.3.4/en/index.html">v 4.3.4</a></li>
              </ul>
            </div>
          </div>
          <form class="navbar-form navbar-right navbar-search" action="../search.html" method="get">
            <div class="form-group">
              <div class="navbar-search-image material-icons"></div>
              <input type="text" name="q" class="form-control" placeholder="  Search" />
            </div>
            <input type="hidden" name="check_keywords" value="yes" />
            <input type="hidden" name="area" value="default" />
          </form>

          <div class="collapse navbar-collapse nav-collapse navbar-right navbar-navigation">
            <ul class="nav navbar-nav"><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../index.html">简介</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link current" href="../table-of-contents/../../guides.html">手册</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../reference-manual/index.html">参考</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../faqs/index.html">帮助</a></li>
            </ul>
          </div>

        </div>
      </div>
    </div>
  </div><!-- block navbar end -->
<!-- block main content -->
<div class="main-container container">
  <div class="row"><div class="col-md-2">
      <div id="sidebar" class="bs-sidenav scrollable-y-outside" role="complementary">
<!-- theme_manual: admin-manual -->
<!-- theme_manual_highlight: guides -->
<!-- sidebar_title_link: ../table-of-contents/../../guides.html -->

  <div role="note" aria-label="manuals links"><h3><a href="../table-of-contents/../../guides.html">Guides</a></h3>

    <ul class="this-page-menu">
      <li class="toctree-l1"><a href="../table-of-contents/../../user-guide/index.html" rel="nofollow">用户手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../developer-manual/index.html" rel="nofollow">开发手册</a>
      </li>
      <li class="toctree-l1"><b><a href="../table-of-contents/../../admin-manual/index.html" rel="nofollow">管理手册</a></b>
      <nav class="pagenav">
      <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../index.html"> Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../cdap-components.html"> CDAP Components</a></li>
<li class="toctree-l1"><a class="reference internal" href="../deployment-architectures.html"> Deployment Architectures</a></li>
<li class="toctree-l1"><a class="reference internal" href="../hadoop-compatibility.html"> Hadoop Compatibility</a></li>
<li class="toctree-l1"><a class="reference internal" href="../cdap-hadoop-compatibility.html"> CDAP and Hadoop Compatibility</a></li>
<li class="toctree-l1"><a class="reference internal" href="../system-requirements.html"> System Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="../installation/index.html"> Installation</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../installation/cloudera.html">Cloudera Manager</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/emr.html">Amazon EMR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/ambari.html">Apache Ambari</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/mapr.html">MapR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/azure-hdinsight.html">Microsoft Azure HDInsight</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/packages.html">Packages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/replication.html">Replication</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../incompatibilities.html"> Incompatibilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="../upgrading/index.html"> Upgrading</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/cloudera.html">Cloudera Manager</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/ambari.html">Apache Ambari</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/mapr.html">MapR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/packages.html">Packages</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html"> Security</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="perimeter-security.html">Perimeter Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="authorization.html">Authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="impersonation.html">Impersonation</a></li>
<li class="toctree-l2"><a class="reference internal" href="system-services.html">Enabling SSL for System Services</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Secure Storage</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../operations/index.html"> Operations</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../operations/logging.html"> Logging and Monitoring</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/metrics.html"> Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/operations-dashboard.html"> Dashboard and Reports</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/preferences.html"> Preferences and Runtime Arguments</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/scaling-instances.html"> Scaling Instances</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/resource-guarantees.html"> Resource Guarantees in YARN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/tx-maintenance.html"> Transaction Service Maintenance</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/cdap-ui.html"> CDAP UI</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appendices/index.html"> Appendices</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../appendices/cdap-site.html"> Appendix: cdap-site.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/cdap-security.html"> Appendix: cdap-security.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/minimal-cdap-site.html"> Appendix: Minimal cdap-site.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/hbase-ddl-executor.html"> Appendix: HBaseDDLExecutor</a></li>
</ul>
</li>
</ul>
</nav>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../integrations/index.html" rel="nofollow">集成手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../examples-manual/index.html" rel="nofollow">最佳实践</a>
      </li>
    </ul>
  </div></div>
    </div><div class="col-md-8 content" id="main-content">
    
  <div class="section" id="secure-storage">
<span id="admin-secure-storage"></span><h1>Secure Storage<a class="headerlink" href="#secure-storage" title="Permalink to this headline">🔗</a></h1>
<p>Applications can need controlled access to sensitive data such as passphrases, cryptographic keys, access tokens, and
passwords. This data is usually small in size, but needs to be stored and managed in a secure manner.
<em>Secure Storage</em> allows users to store such sensitive information in an secure and encrypted manner. Data is encrypted
upon submission to CDAP (via RESTful or programmatic APIs) and is decrypted upon retrieval.</p>
<p><strong>Note:</strong> In CDAP 3.5.0, encryption and decryption of the contents only happens at the
secure store, not while the data is transitting to the secure store. In a later version of
CDAP, all transport involving secure keys will be secured using SSL.</p>
<div class="section" id="secure-storage-format">
<span id="admin-secure-storage-format"></span><h2>Secure Storage Format<a class="headerlink" href="#secure-storage-format" title="Permalink to this headline">🔗</a></h2>
<p>An entry in secure storage consists of:</p>
<ul class="simple">
<li><strong>Key</strong>: An alias for the entry, also referred to as a <span class="xref std std-term">Secure Key</span>.
Data is stored against the provided key and can be retrieved using the same key.
Key must be of the <span class="xref std std-ref">Alphanumeric Character Set</span>, contain <em>only
lowercase</em> characters, and should start with a letter.</li>
<li><strong>Data</strong>: The data which is to be stored in a secure and encrypted manner. This could be a passphrase,
cryptographic key, access token, or any other data that needs to be stored securely.</li>
<li><strong>Description</strong>: A description for the secure store entry.</li>
<li><strong>Properties</strong>: A string map of properties for the secure storage entry. A <code class="docutils literal notranslate"><span class="pre">creationTime</span></code> property is available
for all secure store entries by default. Additional properties can be supplied by users at the time of creation.</li>
</ul>
<p>CDAP provides two different implementations of secure storage, depending on the runtime.</p>
</div>
<div class="section" id="file-backed-secure-storage">
<span id="admin-secure-storage-file"></span><h2>File-backed Secure Storage<a class="headerlink" href="#file-backed-secure-storage" title="Permalink to this headline">🔗</a></h2>
<p>File-backed secure storage is available for use with in-memory CDAP (unit-test) and
CDAP Sandbox modes. It uses the
<a class="reference external" href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#KeyManagement">Sun JCEKS</a>
implementation for storing secure keys. This implementation is not available in
<span class="xref std std-term">Distributed CDAP</span> as it stores the secure data in the local file system, and thus is
not available on all nodes of a distributed cluster.</p>
<p>To use this mode, set these properties:</p>
<ul>
<li><p class="first">In <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>, set <code class="docutils literal notranslate"><span class="pre">security.store.provider</span></code> to <code class="docutils literal notranslate"><span class="pre">file</span></code>:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;</span><span class="n">property</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">name</span><span class="o">&gt;</span><span class="n">security</span><span class="p">.</span><span class="na">store</span><span class="p">.</span><span class="na">provider</span><span class="o">&lt;/</span><span class="n">name</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">value</span><span class="o">&gt;</span><span class="n">file</span><span class="o">&lt;/</span><span class="n">value</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">description</span><span class="o">&gt;</span>
    <span class="n">Backend</span> <span class="n">provider</span> <span class="k">for</span> <span class="n">the</span> <span class="n">secure</span> <span class="n">store</span>
  <span class="o">&lt;/</span><span class="n">description</span><span class="o">&gt;</span>
<span class="o">&lt;/</span><span class="n">property</span><span class="o">&gt;</span>
</pre></div>
</div>
</li>
<li><p class="first">In <code class="docutils literal notranslate"><span class="pre">cdap-security.xml</span></code>, set <code class="docutils literal notranslate"><span class="pre">security.store.file.password</span></code> to a password (to protect the secure storage file).
<strong>Note:</strong> If the <code class="docutils literal notranslate"><span class="pre">cdap-security.xml</span></code> file does not already exist, it needs to be created:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;</span><span class="n">property</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">name</span><span class="o">&gt;</span><span class="n">security</span><span class="p">.</span><span class="na">store</span><span class="p">.</span><span class="na">file</span><span class="p">.</span><span class="na">password</span><span class="o">&lt;/</span><span class="n">name</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">value</span><span class="o">&gt;</span><span class="n">your</span> <span class="n">password</span><span class="o">&lt;/</span><span class="n">value</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">description</span><span class="o">&gt;</span>
    <span class="n">Password</span> <span class="n">to</span> <span class="n">access</span> <span class="n">the</span> <span class="n">key</span> <span class="n">store</span>
  <span class="o">&lt;/</span><span class="n">description</span><span class="o">&gt;</span>
<span class="o">&lt;/</span><span class="n">property</span><span class="o">&gt;</span>
</pre></div>
</div>
</li>
<li><p class="first">The path and the filename of the backing file can be configured in <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>
using these (optional) settings:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;</span><span class="n">property</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">name</span><span class="o">&gt;</span><span class="n">security</span><span class="p">.</span><span class="na">store</span><span class="p">.</span><span class="na">file</span><span class="p">.</span><span class="na">path</span><span class="o">&lt;/</span><span class="n">name</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">value</span><span class="o">&gt;</span><span class="n">$</span><span class="p">{</span><span class="n">local</span><span class="p">.</span><span class="na">data</span><span class="p">.</span><span class="na">dir</span><span class="p">}</span><span class="o">/</span><span class="n">store</span><span class="o">&lt;/</span><span class="n">value</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">description</span><span class="o">&gt;</span>
    <span class="n">Location</span> <span class="n">of</span> <span class="n">the</span> <span class="n">encrypted</span> <span class="n">file</span> <span class="n">which</span> <span class="n">holds</span> <span class="n">the</span> <span class="n">secure</span> <span class="n">store</span> <span class="n">entries</span>
  <span class="o">&lt;/</span><span class="n">description</span><span class="o">&gt;</span>
<span class="o">&lt;/</span><span class="n">property</span><span class="o">&gt;</span>

<span class="o">&lt;</span><span class="n">property</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">name</span><span class="o">&gt;</span><span class="n">security</span><span class="p">.</span><span class="na">store</span><span class="p">.</span><span class="na">file</span><span class="p">.</span><span class="na">name</span><span class="o">&lt;/</span><span class="n">name</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">value</span><span class="o">&gt;</span><span class="n">securestore</span><span class="o">&lt;/</span><span class="n">value</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">description</span><span class="o">&gt;</span>
    <span class="n">Name</span> <span class="n">of</span> <span class="n">the</span> <span class="n">secure</span> <span class="n">store</span> <span class="n">file</span>
  <span class="o">&lt;/</span><span class="n">description</span><span class="o">&gt;</span>
<span class="o">&lt;/</span><span class="n">property</span><span class="o">&gt;</span>
</pre></div>
</div>
</li>
</ul>
</div>
<div class="section" id="hadoop-key-management-server-backed-secure-storage">
<span id="admin-secure-storage-kms"></span><h2>Hadoop Key Management Server-backed Secure Storage<a class="headerlink" href="#hadoop-key-management-server-backed-secure-storage" title="Permalink to this headline">🔗</a></h2>
<p><a class="reference external" href="https://hadoop.apache.org/docs/stable/hadoop-kms/index.html">Hadoop KMS (Key Management Server)-backed</a>
secure storage is available for use with <span class="xref std std-term">Distributed CDAP</span>.</p>
<p>To use this mode, set this property:</p>
<ul>
<li><p class="first">In <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>, set <code class="docutils literal notranslate"><span class="pre">security.store.provider</span></code> to <code class="docutils literal notranslate"><span class="pre">kms</span></code>:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;</span><span class="n">property</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">name</span><span class="o">&gt;</span><span class="n">security</span><span class="p">.</span><span class="na">store</span><span class="p">.</span><span class="na">provider</span><span class="o">&lt;/</span><span class="n">name</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">value</span><span class="o">&gt;</span><span class="n">kms</span><span class="o">&lt;/</span><span class="n">value</span><span class="o">&gt;</span>
  <span class="o">&lt;</span><span class="n">description</span><span class="o">&gt;</span>
    <span class="n">Backend</span> <span class="n">provider</span> <span class="k">for</span> <span class="n">the</span> <span class="n">secure</span> <span class="n">store</span>
  <span class="o">&lt;/</span><span class="n">description</span><span class="o">&gt;</span>
<span class="o">&lt;/</span><span class="n">property</span><span class="o">&gt;</span>
</pre></div>
</div>
</li>
</ul>
<p>For additional information on integration with Hadoop KMS, please refer to
<span class="xref std std-ref">Integrations: Apache Hadoop KMS</span>.</p>
</div>
<div class="section" id="accessing-the-secure-storage">
<h2>Accessing the Secure Storage<a class="headerlink" href="#accessing-the-secure-storage" title="Permalink to this headline">🔗</a></h2>
<p>The <span class="xref std std-ref">Secure Storage HTTP RESTful API</span> has endpoints for
the management and creation, retrieval, and deletion of secure keys.</p>
</div>
</div>

</div>
    <div class="col-md-2">
      <div id="right-sidebar" class="bs-sidenav scrollable-y" role="complementary">
        <div id="localtoc-scrollspy">
        </div>
      </div>
    </div></div>
</div>
<!-- block main content end -->
<!-- block footer -->
<footer class="footer">
      <div class="container">
        <div class="row">
          <div class="col-md-2 footer-left"><a title="Enabling SSL for System Services" href="system-services.html" />Previous</a></div>
          <div class="col-md-8 footer-center"><a class="footer-tab-link" href="../table-of-contents/../../reference-manual/licenses/index.html">Copyright</a> &copy; 2014-2020 Cask Data, Inc.&bull; <a class="footer-tab-link" href="//docs.cask.co/cdap/6.1.1/cdap-docs-6.1.1-web.zip" rel="nofollow">Download</a> an archive or
<a class="footer-tab-link" href="//docs.cask.co/cdap">switch the version</a> of the documentation
          </div>
          <div class="col-md-2 footer-right"><a title="Operations" href="../operations/index.html" />Next</a></div>
        </div>
      </div>
    </footer>
<!-- block footer end -->
<script type="text/javascript" src="../_static/bootstrap-3.3.6/js/bootstrap.min.js"></script><script type="text/javascript" src="../_static/js/bootstrap-sphinx.js"></script><script type="text/javascript" src="../_static/js/abixTreeList-2.js"></script><script type="text/javascript" src="../_static/js/cdap-dynamicscrollspy-4.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script><script type="text/javascript" src="../_static/js/copy-to-clipboard.js"></script><script type="text/javascript" src="../_static/js/jquery.mousewheel.min.js"></script><script type="text/javascript" src="../_static/js/jquery.mCustomScrollbar.js"></script><script type="text/javascript" src="../_static/js/js.cookie.js"></script><script type="text/javascript" src="../_static/js/tabbed-parsed-literal-0.2.js"></script><script type="text/javascript" src="../_static/js/cdap-onload-javascript.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script>
    <script src="https://cdap.gitee.io/docs/cdap/json-versions.js"/></script>
  </body>
</html>